## Recap

It might be worthwhile to recall what we learned in this course:

• Perhaps first and foremost, that it is possible to mathematically define what it means for a cryptographic scheme to be secure. In the cases we studied such a definition could always be described as a “security game”. That is, we really define what it means for a scheme to be insecure and then a scheme is secure if it is not insecure. The notion of “insecurity” is that there exists some adversarial strategy that succeeds with higher probability than what it should have. We normally don’t limit the strategy of the adversary but only his or her capabilities: its computational power and the type of access it has to the system (e.g., chosen plaintext, chosen ciphertext, etc..). We also talked how the notion of secrecy requires randomness and how many real-life failures of cryptosystems amount to faulty assumptions on the sources of randomness.

• We saw the importance of being conservative in security definitions. For example, how despite the fact that the notion of chosen ciphertext attack (CCA) security seems too strong to capture any realistic scenario (e.g., when do we let an adversary play with a descryption box?), there are many natural cases where the using a CPA instead of a CCA secure encryption would lead to an attack on the overall protocol.

• We saw how we can prove security by reductions. Suppose we have a scheme $$S$$ that achieves some security notion $$X$$ (for example, $$S$$ might be a function that achieves the security notion of being a pseudorandom generator) and we use it to build a scheme $$T$$ that we want to achieve a security notion $$Y$$ (for example, we want $$T$$ to be a message authentication code). Then the way we prove security is that we show how we can transform an advesrary $$B$$ that wins against $$T$$ in the security game of $$Y$$ into an adversary $$A$$ that wins against $$S$$ in the security game of $$X$$. Typically the adversary $$A$$ will run $$B$$ “in its belly” simulating for $$B$$ the security game $$Y$$ with respect to $$T$$. This can be somewhat confusing so please re-read the last three sentences and make sure you understand this crucial notion.

• We also saw some of the concrete wonderful things we can do in cryptography:

• In the world of private key cryptography, we saw that based on the PRG conjecture we can get a CPA secure private key encryption (which in particular has key shorter than message), pseudorandom functions, message authentication codes, CCA secure encryption, commitment schemes, and even zero knowledge proofs for NP complete languages.

• We saw that assuming the existence of collision resistant hash functions, we can get message authentication codes (and digital signatures) where the key is shorter than the message. We talked about the heuristic of how we can model hash functions as a random oracle , and use that for “proofs of work” in the context of bitcoin and password derivation, as well as many other settings.

• We also discussed practical constructions of private key primitives such as the AES block ciphers, and how such block ciphers are modeled as pseudorandom permutations and how we can use them to get CPA or CCA secure encryption via various modes such as CBC or GCM. We also discussed the Merkle and Davis-Meyer length extension construction for hash functions, and how the Merkle tree construction can be used for secure storage.

• We saw the revolutionary notion of public key encryption, that two people can talk without having coordinated in advance. We saw constructions for this based on discrete log (e.g., the Diffie-Hellman protocol), factoring (e.g., the Rabin and RSA trapdoor permutations), and the learning with errors (LWE) problem. We saw the notion of digital signatures, and gave several different constructions. We saw how we can use digital signatures to create a “chain of trust” via certificates, and how the TLS protocol, which protects web traffic, works.

• We talked about some advances notions and in particular saw the construction of the surprising concept of a fully homomorphic encryption (FHE) scheme which has been rightly called by Bryan Hayes “one of the most amazing magic tricks in all of computer science”. Using FHE and zero knowledge proofs, we can get multiparty secure computation, which basically means that in the setting of interactive protocols between several parties, we can establish a “virtual trusted third party” (or, as I prefer to call it, a “virtual Chuck Norris”).

• We also saw other variants of encryption such as functional encryption, witness encryption and identity based encryption, which allow for “selective leaking” of information. For functional encryption and witness encryption we don’t yet have clean constructions under standard assumptions but only under obfuscation, but we saw how we could get identity based encryption using the random oracle heuristic and the assumption of the difficulty of the discrete logarithm problem in a group that admits an efficient pairing operation.

• We talked about the notion of obfuscation, which can be thought as the one tool that if it existed would imply all the others. We saw that virtual black box obfuscation does not exist, but there might exist a weaker notion known as “indistinguishability obfuscation” and we saw how it can be useful via the example of a witness encryption and a digital signature scheme. We mentioned (without proof) that it can also be used to obtain a functional encryption scheme.

• We talked about how quantum computing can change the landscape of cryptography, making lattice based constructions our main candidate for public key schemes.

• Finally we discussed some of the ethical and policy issues that arise in the applications of cryptography, and what is the impact cryptography has now, or can have in the future, on society.

## Some things we did not cover

• We did not cover what is arguably the other “fundamental theorem of cryptography”, namely the equivalence of one-way functions and pseudorandom generators. A one-way function is en efficient map $$F:{\{0,1\}}^*\rightarrow{\{0,1\}}^*$$ that is hard to invert on a random input. That is, for any afficient algorithm $$A$$ if $$A$$ is given $$y=F(x)$$ for uniformly chosen $$x{\leftarrow_R\;}{\{0,1\}}^n$$, then the probability that $$A$$ outputs $$x'$$ with $$F(x')=y$$ is negligible. It can be shown that one-way functions are minimal in the sense that they are necessary for a great many cryptographic applications including pseudorandom generators and functions, encryption with key shorter than the message, hash functions, message authentication codes, and many more. (Most of these results are obtained via the work of Impagliazzo and Luby who showed that if one-way functions do not exist then there is a universal posterior sampler in the sense that for every probabilistic process $$F$$ that maps $$x$$ to $$y$$, there is an efficient algorithm that given $$y$$ can sample $$x'$$ from a distribution close to the posterior distribution of $$x$$ conditioned on $$F(x)=y$$. This result is typically known as the equivalence of standard one-way functions and distributional one-way functions.) The fundamental result of Hastad, Impagliazzo, Levin and Luby is that one-way functions are also sufficient for much of private key cryptography since they imply the existence of pseudorandom generators.

• Related to this, although we mentioned this briefly, we did not go in depth into “Impagliazzo’s Worlds” of algorithmica, heuristica, pessiland, minicrypt, cryptomania (and the new one of “obfustopia”). If this piques your curiosity, please read this 1995 survey.

• We did not go in detail into the design of private key cryptosystems such as the AES. Though we discussed modes of operation of block ciphers we did not go into a full description of all modes that are used in practice. We also did not discuss cryptanalytic techniques such as linear and differential cryptanalysis. We also not discuss all technical issues that arise with length extention and padding of encryptions in practice. In particular we did not talk

• While we talked about bitcoin, the TLS protocol, two factor authentication systems, and some aspects of pretty good privacy, we restricted ourselves to abstractions of these systems and did not attempt a full “end to end” analysis of a complete system. I do hope you have learned the tools that you’d be able to understand the full operation of such a system if you need to.

• While we talked about Shor’s algorithm, the algorithm people actually use today to factor numbers is the number field sieve. It and its predecessor, the quadratic sieve, are well worth studying. The (freely available online) book of Shoup is an excellent source not just for these algorithms but general algorithmic group/number theory.

• We talked about some attacks on practical systems, but there many other attacks that teach us important lessons, not just about these particular systems, but also about security and cryptography in general (as well some human tendencies to repeat certain types of mistakes).

## What I hope you learned

I hope you got an appreciation for cryptography, and an understanding of how it can surprise you both in the amazing security properties it can deliver, as well in the subtle, but often devastating ways, that it can fail. Beyond cryptography, I hope you got out of this course the ability to think a little differently- to be paranoid enough to see the world from the point of view of an adversary, but also the lesson that sometimes if something sounds crazy but is not downright impossible it might just be feasible.
But if these philosophical ramblings don’t speak to you, as long as you know the difference between CPA and CCA and I won’t catch you reusing a one-time pad, you should be in good shape :)

I did not intend this course to teach you how to implement cryptographic algorithms, but I do hope that if you need to use cryptography at any point, you now have the skills to read up what’s needed, and be able to argue intelligently about the security of real-world systems. I also hope that you have now sufficient background to not be scared by the technical jargon and the abundance of adjectives in cryptography research papers, and be able to read up on what you need to follow any paper that is interesting to you.

Mostly, I just hope you enjoyed this last term and felt like this course was a good use of your time. I certainly did.